Uploaded image for project: 'Near Realtime RAN Intelligent Controller'
  1. Near Realtime RAN Intelligent Controller
  2. RIC-989

CVE-2023-40998 RMR: Negative Packet Size Causes Crash

XMLWordPrintable

    • Icon: Security Bug Security Bug
    • Resolution: Done
    • Icon: Medium Medium
    • I
    • None
    • rmr

    • rmr library version: 4.9.0

      Hello,

      I would like to report an issue related to the packet size in the rmr library (ric-plt-lib-rmr).

      When processing received packets, the library decodes the first 4 bytes as the packet size.

      However, if the decoding result is a negative value, it leads to a subsequent core dump during the memcpy operation.

       

      Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.

       

      This problem can be found in components that utilize the RMR library. For example, in the e2term, when receiving a packet with a decoded negative packet size on port 4561, it triggers this crash.

       

      I have attached images of the packets that led to the crash and the decoded packets.

        1. crash_negative_packet
          143 kB
        2. packet_decode.png
          packet_decode.png
          133 kB
        3. upload_acd077c00112dbca3ee0006fe277bbca.png
          upload_acd077c00112dbca3ee0006fe277bbca.png
          25 kB
        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

            czichy Thoralf Czichy
            penguinic77 Nic Nic
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: